Network Monitor 3 Frequently Asked Questions

If you want to add a new FAQ, please feel free to contribute.  Simple add a bullet under the appropriate section. Then create a Q: section and create an anchor using the text in your question (look at some of the other questions for examples).  Then link to that new section and provide an answer section.

Parsing:

• How can I tell Network

Filtering:

• How can I learn more about filtering?

• How can I find text or some pattern anywhere in a capture?

Usage:

• How can I display IP addresses rather than resolved names?Well How?

• Why can't I save frames that I've captured?

Capturing:

• Why can't I see any adapters to select after I just installed Network Monitor?

• What don't I see any frames when I capture?

• How do I make the Driver Capture Location registry setting take effect?

Installing:

• How can I get more information for a failed installation?

 

Q: How can I tell Network Monitor to parse a protocol that's on a non-standard port?

A: You can TCP.NPL and add a new port as a case statement for the protocol you wish to parse. For instance, if you want to parse port 1234 as HTTP, use the following change in TCP.NPL.

    case   80:

    case 8080:

    case 1234:

        HTTP Http;

Once you make this change, you'll need to save the parser. For more information on how to proceed see the answer to "How do I change or add a protocol parser?".

Q: How do I change or add  a protocol parser?

A: If you making changes using the Network Monitor application, you'll notice you get an "Access is denied" error when you attempt to save a change you've made.  This happens because the files are located in a read-only location. This is to protect you from make changes to the original source.  You will be prompted to save to another location, so choose "Yes".  By default the location is "Documents\Network Monitor 3\Parsers" which is perfect. 

After you have saved your parser you need to take one more step.  With Network Monitor 3.4, we have a new feature called Parser Profiles.  You need to use this new feature to create a new profile that contains the directory with your parser change.  From the Parser Profiles button, open the "Parser Profile Options...".  Then choose the profile you want to use as a base and hit the New button and select "Created From Selected".  A new dialog will open with a list of directories.  By default we add the "Documents\Network Monitor 3\Parsers" directory where you hopefully saved your parser change.  If you are adding a new directory, you'll have to add that manually.  Now hit OK to save your changes.

If you are adding a new parser, one more step is necessary.  You will need to update the my_spaser.npl file and include the name of the new directory (do not use a full path).  So for instance if your new file is called MyNewParser.npl, add the following:

include "MyNewParser.npl"

To use your new parsers, simply select it from the Parser Profiles drop down button under User Defined Profiles.  Assuming that no errors occurred while building the new parser set you should be ready to go.  If you do have errors, you'll have to look on the parser window to understand what has happened.

Q: How can I learn more about filtering?

A: There are many resources that describe  how to filter with Network Monitor 3.

• Look at "Using Filters" in the network Monitor Help
• The "How Do I" menu under "Use Filters"
• Watch the Network Monitor filtering video on You Tube.
• Various filtering articles on our Blog.

Q: Why can't I see any adapters to select after I just installed Network Monitor?

A:  Please check to see if the driver is installed correctly or if any of the problems below match your situation.

1. On XP or server 2003, NM3 uses the Network Monitor capture driver that ships with OS. To check the driver status, enter "sc query nm" at a command prompt. You should see the state is "4 Running". If it complains that the service is not installed, please check whether you can install the service from Network Connections->Local Area Connection Properties->Install->Service->Network Monitor Drive. You may need an OS install CD to install this service if it's not installed with your SKU.
2. On Vista and above, the Network Monitor driver is shipped with and installed by the Installer. To check the driver status, enter "sc query nm3", you should see the state is "4 Running".
   1. Is this the first time you've run Network Monitor after the installation? You will need to log off and log back before you can capture. You can also run as administrator if you have to capture the current state. To see more details please see Section 6 - "Operating on Windows Vista, Windows Server 2008, and Windows 7" in ReleaseNotes.txt.
   2. Make sure you didn't try to install both Netmon2 and Netmon3 on Vista and above OS. It's a known issue that Netmon2 and Netmon3 driver won't co-existed with each other, which will put your system in bad stage and in worst case it may result to re-install OS. The Network Monitor 3 installer will refuse to install if it detects Netmon2 driver in the system. If you upgrade OS from XP or server 2003 with Netmon2 installed, you will need to uninstall Netmon2 first before install NM3.x. You may manually uninstall Netmon2 driver using command line tool in its installed directory "instdrvr.exe /deinstall" in case you fail to uninstall Netmon2 from Remove Program panel.
   3. After the above steps, if the driver is still not in running state, you can try to restart the driver. In an elevated command prompt window, enter "net stop nm3", then "net start nm3".

Q: Why don't I see any frames when I capture?

A: Check to see whether any of the following are true:

• Do you have any adapters selected?  If not, perhaps you don't see any to select?  If so, see this FAQ.

• Has Network Monitor reached the free space limit on your temp directory location (%TMP%)? Refer to http://blogs.technet.com/netmon/archive/2009/11/23/no-frames-captured-due-to-disk-quota.aspx

• Do you have a space in your %TMP% environment variable?  This causes a problem and the space will have to be removed in order to save frames.

• Is TCP chimney enabled? In this case you might see a TCP 3-way handshake and then no other traffic. With TCP Chimney enabled, the NIC directly interfaces through memory with the TCP engine and bypasses NDIS completely, therefore Network Monitor doesn't see this traffic. In Windows 2008 and above you can use the type "netsh int tcp show global" at the command prompt to determine the status of off loading. Before Windows 2008, offloading is an option that each NIC provides separately, so you'll need to consult your manufacture for exact instructions. http://support.microsoft.com/kb/951037.

Q: How do I make the Driver Capture Location registry setting take effect?

A: The Driver Capture Location registry change allows you to configure where the Network Monitor driver captures information.  See the help, under Capture Options, for more details about this option.  To make the option take affect, you must restart the driver.  To do this you can type "sc stop nm3" and then "sc start nm3" on the command line to avoid rebooting.  The key is listed below.

\HKLM\System\CurrentControlSet\Services\nm3\LoadUpperLayers

Q: How can I display IP addresses rather than resolved names?

A: In Network Monitor 3, the behavior of the Source column (which is just a property in NPL), is to show the alias name first, then the resolved name, then the IP, and finally the machine address.

You can add a separate column for the IP address, the property is called SourceNetworkAddress and DestinationNetworkAddress.

You could also change the behavior of the source property in NPL, and add in the IPv4 address in addition to the resolved and aliased name if you wanted.

Q: How can I get more information for a failed installation?

A: When you install Network Monitor, NetmonInstall.log is created in the %tmp% directory.  You might be able to find more information as to why the installation failed.

In some cases, the installation won't even start.  This could be due to your %TMP% path containing a space.  If this is the case, you can extract the files manually using the "/T:\tempdir /C" options.  Then you can attempt to install each MSI manually using MSIExec and the following two commands:

• MSIExec /package netmon.msi /qr
• MSIExec /package NetworkMonitor_Parsers.msi /qr

This will install each of the two packages silently.  If either of these fail, you might want to enable logging explicitly using the MSIExec command with the /l option.  Type MSIExec /? for more details.

Q: Why can't I save frames that I've captured?

A: In some situations you might not be able to save frames after capturing.  This is usually after a long capture session or you've captured many frames.  We recommend you use NMCap, the command line utility, to capture if you need to do so for long periods of time.  NMCap can run for longer periods of time and has a smaller memory foot print as long as conversations are not required.  The UI has to remember all state information and when it gets in this state, it's unable to save the capture file because it has run out of resources to do so.

However, you might be able to work around this problem.  This blog about saving frames might help you work around this situation.

Q: How can I find text or some pattern anywhere in a capture?

A: There is a built in plug-in called ContainsBin which can search all the frame data for a ASCII, Unicode or Hex pattern.  If you look under the Standard Filters in the application for "Search Frame", you will see some examples of how to use it.  Keep in mind that it is case sensitive and you have to specify the type, ASCII, UNICODE or Hex, that you are looking for.

If you need something more flexible, we do have an expert call Simple Search which has some more features.  You can do regular expressions and it will also highlight the hex it finds by automating the UI.  You can find that expert on our Experts Page on Codeplex.